A Penetration Tester's Toolkit

Ever wonder exactly how vulnerable your network is? Using these tools
can give you an idea and provide the means to protect yourself.

I don't know about you, but during the years of my IT career, I've become
more and more concerned with security. I'm sure everyone has to a certain
degree, but for me, it has become a daily part of my job (not that I'm
complaining; on the contrary, it's quite exciting). As such, there
are a multitude of tools I've used to get said job done.
Some I like, and some I don't. But, I keep coming back to three in particular:
Nmap, Nessus and Metasploit.

In this article,
I introduce these three tools at a high level to give you an idea of
how to use them and what to use them for. I also provide some examples
from my own experiences to better explain how I use these tools (and
how you could possibly use them) in the real world.

Nmap is my go-to tool when beginning my investigations
on systems. Nmap has enjoyed quite a long life, starting back in 1997.
It's a scanning tool that allows you to perform various tasks, such as
remote scanning, fingerprinting, monitoring, inventory and other such
functions. It utilizes various techniques like packet manipulation
to get the answers to questions like the types of operating systems in use or the
version of Web serving software that's running on a target. It's great
information if you are to protect your network successfully.

The next tool in my bag is Metasploit. Metasploit has come a long way
since its creation in early 2003. Metasploit is a framework
for developing and testing vulnerabilities (these are its core functions;
its features seem almost limitless at times). It's a great tool for
testing server security (just be sure to use test servers,
because you never know when code could crash a box).

Finally, the last
(but certainly not least) tool in my bag is Nessus. Nessus is a scanner
similar to Nmap and has been around almost as long (since 1998). However,
Nessus is capable of running vulnerability code against a machine like
Metasploit (whereas Metasploit can be used both to develop and run
exploitation code), but at a much simpler level. In fact, that's
Nessus' strong point; it's easy to use, like Nmap, and it has some of
the strengths of Metasploit. Depending on the situation, I may use one
or all of these tools, which brings me to a good point—duplication.

Redundant features aren't bad. For example, each one of these tools are capable of doing
basic scans. However, you will find that Nmap runs the fastest
and offers the least intrusive scanning method. These are the things to
consider when taking into account each of these tool's features and how to
best use them.

Regardless of the duplicating features in these tools, take the time to
learn each tool's individual features to find what works best for you.
You might discover that although Nmap is fast, you like the idea of scanning and
exploiting with Nessus (all in one step, if you will). You might like
the simplicity of Nessus but need the strength of Metasploit (for
scripting and grouping tests together). Even though they all get the job
done, it depends on your situation as to how you use these tools.

The first thing to do is install these tools. Because this article is in
Linux Journal, I assume you're running this on a Linux platform,
but all of these tools work on Windows as well.
You could install these tools from your repositories,
but I recommend going to each tool's Web site and installing from its
packages (this ensures that you get the latest version with all current fixes
and gives you the best success for installation).

Installation is pretty
straightforward; just follow the steps from each tool's respective site,
and you'll be fine. As soon as the tools are installed, it's time
to start playing with them. I highly recommend that you have
either a virtual machine or a test machine of some sort as your first target,
so as not to crash anything critical. Nothing's worse than running
a scan against a box, only to find out that you crashed it by accident
(very high possibility with Nessus and Metasploit, depending on what
you are doing) and interrupted someone's work.

For the purpose of this article, I'm going to set up an example scenario.
I am going to use a virtual machine with Windows XP (SP3) loaded on it
to run these three tools against. This machine will be a fresh install
with no patches and the firewall disabled. The reason for this,
quite simply, is to be realistic when running these scans. More often
than not, I have come across this very machine, sitting in a corner,
collecting dust and running some sort of old-mission-critical app (I'm
sure you've encountered something similar). Especially in large
environments, these machines are very easy to forget about and can give
you the biggest amount of trouble.
I have configured the host machine to use an IP of 192.168.56.1, and the
guest machine to use an IP of 192.168.56.101.

Figure 1. Windows XP Machine

Figure 2. Scanning Machine

Let's start with Nmap to begin the information-gathering stage (you have to know what
you're working with) on your
target. Because you know the IP of the machine in question, you don't have to
but just as easily could run a scan against a subnet or some other subset
of IP addresses. For this article, let's stick with 192.168.56.101.
In your terminal, run the following (remember that you can run this
command as a regular user on the machine, as long as said user has access
to /usr/bin/):

nmap -sV -A -v 192.168.56.101 > /tmp/nmap-output

I always send the output to a file, as it's easier to read through
afterward. Before delving into the output, however, let's look at those
switches:

-sV — this tells Nmap the type of scan. In this case, it's a version scan
to see what programs are running on what ports (where available).

-A — this tells Nmap to run a fingerprint check. This means Nmap
will attempt to identify the version of the OS and any related
information correctly.

-v — verbosity—this is important, as you need this to
get critical
information from Nmap.

Note:

When it comes to tools like Nmap, man pages are your friend. Remember that
these tools are extremely complex and have a lot of functions, and that means
a lot of switches. When in doubt, always refer to the man pages, lest you
use the wrong switch and accidentally crash a box (easily done with tools like
Nessus).

Matthew Agle is a 30-year-old senior architect. When he's not focusing on work, hacking, security, his blog or various other hobbies, he can be found playing with his kids and generally annoying his wife.

The botheration I see is that Microsoft bankrupt their own disciplinarian archetypal and a lot of humans are XP users still because they can't allow to bandy out all or a lot auto diagnostics of of their hardware. These humans don't apperceive about or accept alone Linux, conceivably because their in abode software will not plan beneath WINE. There is ReactOS, but ReactOS is not abiding and it is not adapted for day to day use yet.

Very cool article. I have used all these tools (been a while since I used nessus though). Metasploit is awesome, but can be a little overwhelming to use. Nmap is amazing though and has a lot of great features and can be used for a bunch of different things. Great article thank you!

Progress in engineering haven't left the car industry guiding. Do-it-yourself devices can be a issue of your earlier. You could no extra get less than the hood of auto diagnostics the auto to remove elements and put them jointly with out stressing in regards to the car's doing work. Now, fuel techniques, ignition timing, temperature sensors, and so on. are managed and supervised by way of sophisticated pc systems.

This is really highly interesting, I tested this on the hosting account used for my website here and I must say the results were more than surprising. You pointed out a few details I never really cared about much. Really simple if you know the problem, which makes being aware even more important. To sum it up: Thanks :)